Sun, 28 August 2016
Hacking Car Anti-collision Systems, August 28, 2016
A group of researchers presenting at this month’s Def Con hacker conference showed how they were able to trick Tesla's sophisticated anti-collision sensors to make a car hit an object it would normally detect in its path.
Before we start on the cars – you went to Def Con this year Mike – how was it?
So let’s get to the cars now – who did this research?
The group consisted of Chen Yan, a PhD student at Zhejiang University, Jianhao Liu, a senior security consultant at Qihoo 360, and Wenyuan Xu, a professor at Zhejiang University and The University of South Carolina.
So can you give a quicker overview of what they did?
They discovered methods for "quieting" sensors to diminish or hide obstacles in a car's path, "spoofing" them to make an object appear farther or closer than it actually is, and jamming, which, Yan said, renders the sensor useless as it's "overwhelmed by noise."
Could this be done now? I mean, if someone is driving a Tesla or any other car with this kind of sensor technology, should they be concerned?
It's important to note that the demonstration was a proof-of-concept that did not mimic real-world conditions today. Researchers were working on cars that were usually stationary with what was sometimes very expensive equipment. They noted that the "sky wasn't falling."
But the experiment suggests that theoretically, a few years from now, somebody could make a device that could jam certain sensors in a nearby car.
Can you talk about these sensors a little more?
There are a number of sensors on a Tesla Model S that are used for a variety of functions. It has radar to detect objects in front of it, GPS for location tracking, and cameras to detect speed limit signs and lane markings, for example. As the talk showed, many of these things can be tricked by a determined attacker.
Is it just Tesla people need to be concerned about?
Much of their presentation focused on the Tesla Model S, but they also successfully jammed sensors on cars from Audi, Volkswagen, and Ford.
So what kinds of systems were they jamming?
Cars with ultrasonic sensors
Cars with parking assistance
The Tesla Model S with self-parking and summon
Let’s talk a little more about what they were able to demonstrate.
In a video demonstrating an attack, the researchers jammed sensors in the rear of the Model S, so the car did not know it was about to hit a person standing behind it. In another, they "spoofed" its Autopilot to trick it into thinking it would drive into something that was not actually there.
You mentioned they talked about using lasers – can you give any details?
They also used off-the-shelf lasers to defeat the onboard cameras, and, in one of the most low-tech demonstrations, they wrapped objects up in cheap black foam that rendered them invisible to the car's sensors.
What kind of feedback did they get from the manufacturers?
Yan said after the talk that Tesla reacted positively when they disclosed their research, and it was researching ways to mitigate these types of attacks. "They appreciated our work and are looking into this issue," he said.
So, in summary what are the auto makers concerned about after this presentation?
Where can people get the full Deaf Con presentation?
It's available at Def Con’s website https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Liu-Yan-Xu-Can-You-Trust-Autonomous-Vehicles.pdf
Mon, 15 August 2016
Q: Could you tell us a little about how this research began?
A: Actually in 2013 Flavio Garcia, a computer scientist at University of Birmingham, and a team of researchers were about to reveal a vulnerability in the ignition of Volkswagen cars that allowed them to start the car and drive off without a key. This vulnerability was present in millions of VWs.
Q: You say “about to reveal”?
A: Yes, they were sued, which delayed the publication of the work for 2 years. They used that time to continue their research into vulnerabilities with VW cars.
Q: So did they find anything new?
A: They sure did. The paper they just published identifies flaws not only with the ignition system, but also with the keyless entry system.
Q: How many cars are we talking about?
A: The researchers claim that every Volkswagen sold since 1995 is affected. The estimate is nearly 100 million cars!
Q: Which cars are affected?
A: There are two distinct attacks – one impacts Audi and Škoda cars; the other Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
Q: Do they provide any details of the attack?
A: They use radio hardware to intercept signals from the victim’s key fob, using the intercepted signals to clone the key. They started with software defined radio connected to a laptop, but have moved to a small $40 setup that includes an Arduino board with an attached radio receiver.
Q: How concerned should we be?
A: Of the two attacks, the one targeting Volkswagen cars is most concerning because (1) there is no indication to the drivers that they’ve been compromised, (2) one a single button press needs to be intercepted.
Q: Why is the security weak?
A: It turns out that millions of Volkswagen vehicles share a single cryptographic key. Using the hardware we described earlier, researchers capture another key unique to the target vehicle that is transmitted every time the button on the key fob is pressed. By combining these two key, the researchers can clone the key fob. A single interception and the car is “owned”.
Q: So it’s that easy?
A: Not quite that easy. A few caveats. The attacker has to be within 300 feet of the car. The shared key is not quite universal. The shared key may change based on the model of the car and the year. Also, the internal components where the shared is extracted from may be different.
Q: So the key’s not universal. That’s good, right?
A: Yes, except that the 4 most common keys are used in nearly all the 100 million Volkswagen’s sold in the past 20 years.
Q: So should listeners sell their Volkswagens?
A: No, not yet. The researchers have not revealed where the shared key is stored, but a determined hacker could reverse engineer the keys and publish or sell them. And a newer locking system, used in the VW Golf 7 and other models, uses unique - not shared - keys and it his immune to these attacks.
Q: You mentioned that there are two attacks. What’s the second?
A: The second technique exploits flaws in a common cryptographic scheme called HiTag2 that is used in millions of vehicles.
Q: How does this attack work?
A: The hardware setup is similar to the previous attack. One big difference is that you don’t need to extract any internal keys from the car. You do have to intercept more codes from the target key fob - eight codes specifically. These codes include a rolling code number that changes with every button press.
Q: Sounds a lot like cracking a WEP key on a wireless network.
A: It is. In fact, the researchers suggest jamming the key fob so that the driver has to repeatedly press the button. Essentially generating more traffic to capture. Similar to a so-called replay attack used to help speed up the cracking of WEP keys.
Q: Why not just updated the encryption scheme?
A: It turns out the HiTag2 crypto system is hard coded into chips made by semiconductor company NXP. According to NXP HiTag2 is a legacy security algorithm - 18 years old. Since 2009, they have introduced new, more advanced algorithms, but car makers have been slow to transition to these new chips.
Q: So attackers can unlock the car. Can they steal the car?
A: While these attacks focus on the key fob and unlocking the car. Other research - even these researchers previous work - focuses on exploiting vulnerabilities in the ignition system and bypassing so-called immobilizer systems that are intended to prevent the car being driven without the key fob present. Combining these attackers, it would be possible to steal the car. In fact, there is already evidence of sophisticated digitally-enable car thieves using mysterious “black box” devices to steal cars.
Q: So what should car owners do?
A: Car owners can’t fix the vulnerabilities, so there’s little they can do to avoid these sort of attacks. If you’re concerned about someone cloning your key fob (1) don’t leave valuables in the car, (2) avoid using the key fob at all.